To generate a keypair
Most cloud images support public key authentication rather than conventional username/password authentication. Before launching an instance, you must generate a public/private key pair using ssh-keygen and add the public key to your OpenStack environment.
Source the
demotenant credentials:$ source demo-openrc.sh
Generate a key pair:
$ ssh-keygen
Add the public key to your OpenStack environment:
$ nova keypair-add --pub-key ~/.ssh/id_rsa.pub demo-key
![[Note]](../common/images/admon/note.png)
Note This command provides no output.
Verify addition of the public key:
$ nova keypair-list +----------+-------------------------------------------------+ | Name | Fingerprint | +----------+-------------------------------------------------+ | demo-key | 6c:74:ec:3a:08:05:4e:9e:21:22:a6:dd:b2:62:b8:28 | +----------+-------------------------------------------------+
To launch an instance
To launch an instance, you must at least specify the flavor, image name, network, security group, key, and instance name.
A flavor specifies a virtual resource allocation profile which includes processor, memory, and storage.
List available flavors:
$ nova flavor-list +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | | 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
Your first instance uses the
m1.tinyflavor.Note You can also reference a flavor by ID.
List available images:
$ nova image-list +--------------------------------------+---------------------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+---------------------+--------+--------+ | acafc7c0-40aa-4026-9673-b879898e1fc2 | cirros-0.3.2-x86_64 | ACTIVE | | +--------------------------------------+---------------------+--------+--------+
Your first instance uses the
cirros-0.3.2-x86_64image.List available networks:
$ neutron net-list +--------------------------------------+----------+-------------------------------------------------------+ | id | name | subnets | +--------------------------------------+----------+-------------------------------------------------------+ | 3c612b5a-d1db-498a-babb-a4c50e344cb1 | demo-net | 20bcd3fd-5785-41fe-ac42-55ff884e3180 192.168.1.0/24 | | 9bce64a3-a963-4c05-bfcd-161f708042d1 | ext-net | b54a8d85-b434-4e85-a8aa-74873841a90d 203.0.113.0/24 | +--------------------------------------+----------+-------------------------------------------------------+
Your first instance uses the
demo-nettenant network. However, you must reference this network using the ID instead of the name.List available security groups:
$ nova secgroup-list +--------------------------------------+---------+-------------+ | Id | Name | Description | +--------------------------------------+---------+-------------+ | ad8d4ea5-3cad-4f7d-b164-ada67ec59473 | default | default | +--------------------------------------+---------+-------------+
Your first instance uses the
defaultsecurity group. By default, this security group implements a firewall that blocks remote access to instances. If you would like to permit remote access to your instance, launch it and then configure remote access.Launch the instance:
Replace
DEMO_NET_IDwith the ID of thedemo-nettenant network.$ nova boot --flavor m1.tiny --image cirros-0.3.2-x86_64 --nic net-id=
DEMO_NET_ID\ --security-group default --key-name demo-keydemo-instance1+--------------------------------------+------------------------------------------------------------+ | Property | Value | +--------------------------------------+------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | vFW7Bp8PQGNo | | config_drive | | | created | 2014-04-09T19:24:27Z | | flavor | m1.tiny (1) | | hostId | | | id | 05682b91-81a1-464c-8f40-8b3da7ee92c5 | | image | cirros-0.3.2-x86_64 (acafc7c0-40aa-4026-9673-b879898e1fc2) | | key_name | demo-key | | metadata | {} | | name | demo-instance1 | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | 7cf50047f8df4824bc76c2fdf66d11ec | | updated | 2014-04-09T19:24:27Z | | user_id | 0e47686e72114d7182f7569d70c519c9 | +--------------------------------------+------------------------------------------------------------+Check the status of your instance:
$ nova list +--------------------------------------+----------------+--------+------------+-------------+-------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+----------------+--------+------------+-------------+-------------------------+ | 05682b91-81a1-464c-8f40-8b3da7ee92c5 | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3 | +--------------------------------------+----------------+--------+------------+-------------+-------------------------+
The status changes from
BUILDtoACTIVEwhen your instance finishes the build process.
To access your instance using a virtual console
Obtain a Virtual Network Computing (VNC) session URL for your instance and access it from a web browser:
$ nova get-vnc-console
demo-instance1novnc +-------+------------------------------------------------------------------------------------+ | Type | Url | +-------+------------------------------------------------------------------------------------+ | novnc | http://controller:6080/vnc_auto.html?token=2f6dd985-f906-4bfc-b566-e87ce656375b | +-------+------------------------------------------------------------------------------------+Note If your web browser runs on a host that cannot resolve the
controllerhost name, you can replacecontrollerwith the IP address of the management interface on your controller node.The CirrOS image includes conventional username/password authentication and provides these credentials at the login prompt. After logging into CirrOS, we recommend that you verify network connectivity using ping.
Verify the
demo-nettenant network gateway:$ ping -c 4 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms 64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms 64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms 64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms --- 192.168.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2998ms rtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms
Verify the
ext-netexternal network:$ ping -c 4 openstack.org PING openstack.org (174.143.194.225) 56(84) bytes of data. 64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms 64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms 64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms 64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms --- openstack.org ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
To access your instance remotely
Add rules to the
defaultsecurity group:Permit ICMP (ping):
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
Permit secure shell (SSH) access:
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
Create a floating IP address on the
ext-netexternal network:$ neutron floatingip-create ext-net Created a new floatingip: +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | fixed_ip_address | | | floating_ip_address | 203.0.113.102 | | floating_network_id | 9bce64a3-a963-4c05-bfcd-161f708042d1 | | id | 05e36754-e7f3-46bb-9eaa-3521623b3722 | | port_id | | | router_id | | | status | DOWN | | tenant_id | 7cf50047f8df4824bc76c2fdf66d11ec | +---------------------+--------------------------------------+
Associate the floating IP address with your instance:
$ nova floating-ip-associate demo-instance1 203.0.113.102
Note This command provides no output.
Check the status of your floating IP address:
$ nova list +--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+ | 05682b91-81a1-464c-8f40-8b3da7ee92c5 | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 | +--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+
Verify network connectivity using ping from the controller node or any host on the external network:
$ ping -c 4 203.0.113.102 PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data. 64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms 64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms 64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms 64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms --- 203.0.113.102 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
Access your instance using SSH from the controller node or any host on the external network:
$ ssh [email protected] The authenticity of host '203.0.113.102 (203.0.113.102)' can't be established. RSA key fingerprint is ed:05:e9:e7:52:a0:ff:83:68:94:c7:d1:f2:f8:e2:e9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '203.0.113.102' (RSA) to the list of known hosts. $
Note If your host does not contain the public/private key pair created in an earlier step, SSH prompts for the default password associated with the
cirrosuser.
If your instance does not launch or seem to work as you expect, see the OpenStack Operations Guide for more information or use one of the many other options to seek assistance. We want your environment to work!
